Medicare and Medicaid Data Breach Hits 103,000 Americans As Fraudulent Accounts Opened Using Victims’ Personally Identifiable Information

A newly discovered data breach of the U.S. Centers for Medicare and Medicaid Services (CMS) has impacted more than 100,000 Americans.

In a new statement, the CMS says that an investigation discovered fraudulent Medicare.gov accounts were opened using personal data from its system, impacting 103,000 people.

“On May 2, CMS’ 1-800-MEDICARE call center began receiving inquiries from beneficiaries who received letters confirming the creation of Medicare.gov accounts they did not initiate. CMS promptly launched an investigation and discovered that malicious actors had fraudulently created new accounts between 2023 and 2025 using valid beneficiary information, including Medicare Beneficiary Identifiers (MBI), coverage start date, last name, date of birth and zip code.”

The fraudsters may have stolen other personal information as well, including provider information, mailing address, dates of service, diagnosis codes, services received and plan premium details.

CMS is sending letters to those whose information was stolen, alerting them that it will send them a new Medicare card with a new Medicare number in the coming weeks.

The federal agency says it has also deactivated all fraudulently created Medicare.gov accounts and disabled the ability to create new Medicare.gov accounts from foreign IP addresses.

CMS says it has yet to receive any reports of identity fraud or misuse of the information resulting from the cyberattack.

Generated Image: Midjourney